Getting Started with Yubico Login for Windows

Recently, there has been a growing demand to use YubiKey for Windows logon authentication to strengthen security through two-factor authentication. To meet such needs, our company offers various services such as "YubiOn Portal" and "YubiOn WindowsLogon Standalone".

In addition to our services, Yubico, the manufacturer of YubiKey, also provides a free Windows authentication tool called "Yubico Login for Windows" (hereafter referred to as "Yubico Login"). This tool allows you to log on to Windows using a YubiKey for Windows local accounts.

In this article, we will share our experience using the "Yubico Login"  tool, while also highlighting similarities and differences compared to our offline Windows authentication service, "YubiOn WindowsLogon Standalone".

■ Test Environment

We tested under the following conditions:

• OS: Windows11

• Authentication Device: YubiKey 5 Series

• Account: Windows local account (Administrator)

  
  

"Yubico Login" supports Windows local accounts only.

■ Installation

Download the installer and proceed with the installation.

After installation, click “Yes” and restart the OS.

When the OS restarts, "Yubico Login" will appear on the logon screen, but until you assign a YubiKey, you can still log on using just your username and password.

Log on once, then launch the configuration tool to register the user and YubiKey.

One important note during registration: since authentication uses challenge-response, the YubiKey slot will be overwritten (by default, Slot 2 is used).

Therefore, it is recommended to use a YubiKey that you don’t mind being overwritten.

First, you will be asked to choose a setup method:

• “Express” for a quick and easy setup

• “Advanced” for detailed configuration options

If you select “Advanced,” you can configure options such as generating a recovery code and creating a backup device. However, since we didn’t make any changes this time, we chose “Express.”

You will then be prompted to insert a YubiKey, so plug the YubiKey you want to register into a USB port.

The YubiKey’s serial number and slot configuration status will be displayed.

Then, click “Next,” and…

The YubiKey registration process is complete.

Next, insert and register a second YubiKey as a backup by following the same steps.

(In this case, we registered the same YubiKey as the first one.)

Finally, an emergency recovery code will be displayed. The recovery code allows you to log on without a YubiKey by manually entering the code on the logon screen if the registered YubiKey is lost.

Since you won’t be able to retrieve it after proceeding to the next step, we recommend saving it at this point.

This completes the registration process.

■ Authentication

Now, let’s actually try the authentication process.

The method is simple.

First, on the Windows logon screen at startup, "Yubico Login" will be displayed.

Basically, the user input is in text entry format, not a selection format.

If you try to log on without a YubiKey inserted, an error message will appear.

If an unassigned YubiKey is inserted, you will also be prompted to insert the correct YubiKey.

With the correct YubiKey inserted, enter your username and password.

If authentication is successful, you will be logged in as usual.

It was relatively easy to implement two-factor authentication using YubiKey.

By the way, with "Yubico Login", touching the YubiKey during logon is not required (depending on the settings).

If you use Windows sign-in options that start with Windows Hello (e.g., Windows Hello PIN), users can log on without a YubiKey even if the key is configured in Yubico Login.

For accounts protected by Yubico Login, it’s recommended to disable Windows Hello and similar options.

■ Features

Other notable features are as follows:

◯ YubiKey Assignment:

Yubico Login offers relatively flexible YubiKey assignment options:

• Assign different YubiKeys to multiple local accounts: Possible

• Assign one YubiKey to multiple local accounts: Possible

• Assign multiple YubiKeys to one local account: Possible

◯ If a YubiKey is lost:

You can log on without a YubiKey by entering the recovery code issued during YubiKey assignment.

However, this recovery code is quite long and must be manually entered on the logon screen, which can be cumbersome.

It’s a good idea to register a backup YubiKey in case the primary one is lost.

Also, if Windows is started in Safe Mode, you can log on without going through Yubico Login.

◯ Enforcing Two-Factor Authentication:

If Windows Hello sign-in options (such as Windows Hello PIN) are enabled, users can log on using Windows Hello without a YubiKey.

To enforce two-factor authentication, these sign-in options must be disabled.

■ Conclusion

After trying Yubico Login for Windows, we confirmed that it provides a relatively easy way to implement two-factor authentication.

Although it is limited to Windows local accounts, it seems suitable for those who want to introduce two-factor authentication at logon to meet security requirements.

However, there are some security gaps: it only supports local accounts, and if Windows Hello sign-in options are enabled or the system is started in Safe Mode, users can bypass Yubico Login.

Our service, YubiOn WindowsLogon Standalone, provides enhanced security and addresses these shortcomings.

If you are interested in higher-security solutions for Windows two-factor authentication, please consider our service.

■ Reference

[Yubico Login for Windows Configuration Guide]

https://support.yubico.com/hc/en-us/articles/360013708460-Yubico-Login-for-Windows-Configuration-Guide

[YubiOn WindowsLogon Standalone]

https://www.yubion.com/windowslogon

[YubiOn Portal]

https://www.yubion.com/yubion-portal